Tuesday, February 19, 2013

MANDIANT REPORT: How Red China Engages in Open Warfare Against America's Critical Industries

Mandiant has published a lengthy, must-read report (PDF) on a Red Chinese cyber-war unit [APT1] that is openly attacking American firms.

One of the primary methods the PLA gains a beachhead inside the target firm is through spear-phishing, which uses a personalized email that entices the victim into clicking on a malicious link.

The Initial Compromise represents the methods intruders use to first penetrate a target organization’s network. As with most other APT groups, spear phishing is APT1’s most commonly used technique. The spear phishing emails contain either a malicious attachment or a hyperlink to a malicious file. The subject line and the text in the email body are usually relevant to the recipient. APT1 also creates webmail accounts using real peoples’ names — names that are familiar to the recipient, such as a colleague, a company executive, an IT department employee, or company counsel — and uses these accounts to send the emails. As a real-world example, this is an email that APT1 sent to Mandiant employees:

At first glance, the email appeared to be from Mandiant’s CEO, Kevin Mandia. However, further scrutiny shows that the email was not sent from a Mandiant email account, but from “kevin.mandia@rocketmail.com”. Rocketmail is a free webmail service. The account “kevin.mandia@rocketmail.com” does not belong to Mr. Mandia. Rather, an APT1 actor likely signed up for the account specifically for this spear phishing event. If anyone had clicked on the link that day (which no one did, thankfully), their computer would have downloaded a malicious ZIP file named “Internal_Discussion_Press_Release_In_Next_Week8.zip”. This file contained a malicious executable that installs a custom APT1 backdoor that we call WEBC2-TABLE.

Although the files that APT1 actors attach or link to spear phishing emails are not always in ZIP format, this is the predominant trend we have observed in the last several years. Below is a sampling of file names that APT1 has used with their malicious ZIP files:
2012ChinaUSAviationSymposium.zip
Employee-Benefit-and-Overhead-Adjustment-Keys.zip
MARKET-COMMENT-Europe-Ends-Sharply-Lower-On-Data-Yields-Jump.zip
Negative_Reports_Of_Turkey.zip
New_Technology_For_FPGA_And_Its_Developing_Trend.zip
North_Korean_launch.zip
Oil-Field-Services-Analysis-And-Outlook.zip
POWER_GEN_2012.zip
Proactive_Investors_One2One_Energy_Investor_Forum.zip
Social-Security-Reform.zip
South_China_Sea_Security_Assessment_Report.zip
Telephonics_Supplier_Manual_v3.zip
The_Latest_Syria_Security_Assessment_Report.zip
Updated_Office_Contact_v1.zip
Updated_Office_Contact_v2.zip
Welfare_Reform_and_Benefits_Development_Plan.zip

The example file names include military, economic, and diplomatic themes, suggesting the wide range of industries that APT1 targets. Some names are also generic (e.g., “updated_office_contact_v1.zip”) and could be used for targets in any industry.

On some occasions, unsuspecting email recipients have replied to the spear phishing messages, believing they were communicating with their acquaintances. In one case a person replied, “I’m not sure if this is legit, so I didn’t open it.” Within 20 minutes, someone in APT1 responded with a terse email back: “It’s legit.”